IPSec, IPTables, multiple subnets

Discussion in 'Linux Networking' started by SilkBC, Mar 27, 2007.

  1. SilkBC

    SilkBC Guest


    How do you tell IPTables to not masquerade several specific subnets,
    or alternatively, masquerade *only* one specific subnet but not
    everything else?

    We have several remote sites with the following subnets:

    site1 (main office):
    site2 (remote):
    site3 (remote):
    site4 (remote):

    We are wanting to run full two-way site-to-site VPNs between the
    remote sites and the main office. We are able to get one tunnel
    working properly, but the others, while the tunnels are indeed up, we
    cannot ping across to them from the main office. The VPN is IPSec.

    Here is the current masquerading rule (on the main office firewall/
    gateway), which is allowing the one IPSec tunnel to work no problem:

    iptables -t nat -A POSTROUTING -o eth0 -d ! -j

    which is saying to masquerade all traffic going through eth0 *except*
    for traffic destined for the network.

    IPSec does not create it's own interface unfortunately, but rather
    "shares" eth0.

    I have tried this rule:

    iptables -t nat -A POSTROUTING -o eth0 -s -j

    which I thought would masquerade *only* traffic from the
    subnet through eth0, but that didn;t work (and looking at it closer, I
    am able to see why)

    Any help appreciated.

    TIA. I look forward to hearing fromyou.

    SilkBC, Mar 27, 2007
    1. Advertisements

  2. Given that I'm no IPSec or iptables expert, you might try this:

    iptables -t nat -A POSTROUTING -o eth0 -d ! -j MASQUERADE

    It would seem to masquerade all traffic output through eth0 except
    that to the VPNs, assuming no traffic to goes out eth0.
    But since my view of eth0/IPSec VPN/"shares" is cloudy at best that
    assumption could easily be wrong.
    Clifford Kite, Mar 27, 2007
    1. Advertisements

  3. SilkBC

    SilkBC Guest

    I had considered the above, but thought it would have prevented the
    LAN traffic at the main site ( from being masquerated/
    nat'd out to the Internet. I gave it a try anyway, and it doesn't
    seem to affect that traffic.

    Having done that, I have made some progress: from the
    (main site) network, I am able to ping the private gateway IPs of the
    routers at the different sites (10.175.x.254) whereas I was not able
    to do so previously. I am unable to ping any of the PCs behind the
    gateways, however (though I can do so if I SSH to the gateway itself
    and start pinging the IPs of the PCs).

    I was thinking this may be a routing issue until I was actually able
    to ping just one of the PCs in the subnet, though I
    cannot ping any of the others behind it.

    The firewall is not an issue, as it is running the exact same one as
    the site with the subnet (which is working 100% as it
    should). The routing tables are also exactly the same, except for the
    local subnet and of course the ISP gateway they have to go through.

    Open to any other suggestions... :)

    -Alan M.
    SilkBC, Mar 29, 2007
  4. It smacks of the lack of IP forwarding on the VPN gateways, except
    for the one for of course. You also might enquire as to
    whether there is anything special about the PC that responds to pinging.
    That seems to contradict my suggestion: if IP forwarding is missing
    on the gateway then no PC should respond and if it isn't then all PCs
    should respond.

    Anyway, since is still 100% with the new rule it seems
    like the other subnets should also work with it.

    corncob:~# cat /proc/sys/net/ipv4/ip_forward
    Clifford Kite, Mar 29, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.